tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-29 00:34:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

support --without-openssl at configure time

Browse Source 
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.

Considered highly experimental for now.
This commit is contained in:
Damien Miller 2015-01-15 02:21:31 +11:00
parent 4f38c61c68
commit 72ef7c148c
40 changed files with 709 additions and 511 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile.in
View File

@ -76,7 +76,7 @@ LIBOPENSSH_OBJS=\
LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-aes.o \
canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
@ -87,7 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest-openssl.o hmac.o \
ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \

6
bufbn.c
View File

@ -20,12 +20,15 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include "buffer.h"
#include "log.h"
#include "ssherr.h"
#ifdef WITH_SSH1
int
buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
{
@ -63,6 +66,7 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value)
if (buffer_get_bignum_ret(buffer, value) == -1)
fatal("%s: buffer error", __func__);
}
#endif /* WITH_SSH1 */
int
buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
@ -101,3 +105,5 @@ buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
if (buffer_get_bignum2_ret(buffer, value) == -1)
fatal("%s: buffer error", __func__);
}
#endif /* WITH_OPENSSL */

3
cipher-aesctr.c
View File

@ -18,6 +18,8 @@
#include <sys/types.h>
#include <string.h>
#ifndef WITH_OPENSSL
#include "cipher-aesctr.h"
/*
@ -76,3 +78,4 @@ aesctr_encrypt_bytes(aesctr_ctx *x,const u8 *m,u8 *c,u32 bytes)
n = (n + 1) % AES_BLOCK_SIZE;
}
}
#endif /* !WITH_OPENSSL */

3
cipher-bf1.c
View File

@ -20,6 +20,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <stdarg.h>
@ -98,3 +100,4 @@ evp_ssh1_bf(void)
ssh1_bf.key_len = 32;
return (&ssh1_bf);
}
#endif /* WITH_OPENSSL */

4
cipher-ctr.c
View File

@ -16,7 +16,7 @@
*/
#include "includes.h"
#ifndef OPENSSL_HAVE_EVPCTR
#if defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR)
#include <sys/types.h>
#include <stdarg.h>
@ -143,4 +143,4 @@ evp_aes_128_ctr(void)
return (&aes_ctr);
}
#endif /* OPENSSL_HAVE_EVPCTR */
#endif /* defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR) */

923
configure.ac
View File

@ -121,14 +121,34 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
#include <linux/prctl.h>
])
openssl=yes
ssh1=yes
AC_ARG_WITH([ssh1],
[ --without-ssh1 Disable support for SSH protocol 1],
AC_ARG_WITH([openssl],
[ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
[ if test "x$withval" = "xno" ; then
openssl=no
ssh1=no
fi
]
)
AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
if test "x$openssl" = "xyes" ; then
AC_MSG_RESULT([yes])
AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
else
AC_MSG_RESULT([no])
fi
AC_ARG_WITH([ssh1],
[ --without-ssh1 Disable support for SSH protocol 1],
[
if test "x$withval" = "xno" ; then
ssh1=no
elif test "x$openssl" = "xno" ; then
AC_MSG_ERROR([Cannot enable SSH protocol 1 with OpenSSL disabled])
fi
]
)
AC_MSG_CHECKING([whether SSH protocol 1 support is enabled])
if test "x$ssh1" = "xyes" ; then
AC_MSG_RESULT([yes])
@ -1705,10 +1725,13 @@ AC_LINK_IFELSE(
[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
])
# PKCS#11 support requires dlopen() and co
AC_SEARCH_LIBS([dlopen], [dl],
[AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])]
)
# PKCS11 depends on OpenSSL.
if test "x$openssl" = "xyes" ; then
# PKCS#11 support requires dlopen() and co
AC_SEARCH_LIBS([dlopen], [dl],
[AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])]
)
fi
# IRIX has a const char return value for gai_strerror()
AC_CHECK_FUNCS([gai_strerror], [
@ -2197,6 +2220,9 @@ saved_LDFLAGS="$LDFLAGS"
AC_ARG_WITH([ssl-dir],
[ --with-ssl-dir=PATH Specify path to OpenSSL installation ],
[
if test "x$openssl" = "xno" ; then
AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
fi
if test "x$withval" != "xno" ; then
case "$withval" in
# Relative paths
@ -2229,443 +2255,456 @@ AC_ARG_WITH([ssl-dir],
fi
]
)
LIBS="-lcrypto $LIBS"
AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1],
[Define if your ssl headers are included
with #include <openssl/header.h>])],
[
dnl Check default openssl install dir
if test -n "${need_dash_r}"; then
LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
else
LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
fi
CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
AC_CHECK_HEADER([openssl/opensslv.h], ,
[AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])],
[
AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
]
)
]
)
# Determine OpenSSL header version
AC_MSG_CHECKING([OpenSSL header version])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <stdio.h>
#include <string.h>
#include <openssl/opensslv.h>
#define DATA "conftest.sslincver"
]], [[
FILE *fd;
int rc;
fd = fopen(DATA,"w");
if(fd == NULL)
exit(1);
if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
exit(1);
exit(0);
]])],
[
ssl_header_ver=`cat conftest.sslincver`
AC_MSG_RESULT([$ssl_header_ver])
],
[
AC_MSG_RESULT([not found])
AC_MSG_ERROR([OpenSSL version header not found.])
],
[
AC_MSG_WARN([cross compiling: not checking])
]
)
# Determine OpenSSL library version
AC_MSG_CHECKING([OpenSSL library version])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <stdio.h>
#include <string.h>
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
#define DATA "conftest.ssllibver"
]], [[
FILE *fd;
int rc;
fd = fopen(DATA,"w");
if(fd == NULL)
exit(1);
if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
SSLeay_version(SSLEAY_VERSION))) <0)
exit(1);
exit(0);
]])],
[
ssl_library_ver=`cat conftest.ssllibver`
# Check version is supported.
case "$ssl_library_ver" in
0090[[0-7]]*|009080[[0-5]]*)
AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")])
;;
*) ;;
esac
AC_MSG_RESULT([$ssl_library_ver])
],
[
AC_MSG_RESULT([not found])
AC_MSG_ERROR([OpenSSL library not found.])
],
[
AC_MSG_WARN([cross compiling: not checking])
]
)
# XXX make --without-openssl work
AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
AC_ARG_WITH([openssl-header-check],
[ --without-openssl-header-check Disable OpenSSL version consistency check],
[ if test "x$withval" = "xno" ; then
openssl_check_nonfatal=1
fi
]
)
# Sanity check OpenSSL headers
AC_MSG_CHECKING([whether OpenSSL's headers match the library])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/opensslv.h>
]], [[
exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
]])],
[
AC_MSG_RESULT([yes])
],
[
AC_MSG_RESULT([no])
if test "x$openssl_check_nonfatal" = "x"; then
AC_MSG_ERROR([Your OpenSSL headers do not match your
library. Check config.log for details.
If you are sure your installation is consistent, you can disable the check
by running "./configure --without-openssl-header-check".
Also see contrib/findssl.sh for help identifying header/library mismatches.
])
else
AC_MSG_WARN([Your OpenSSL headers do not match your
library. Check config.log for details.
Also see contrib/findssl.sh for help identifying header/library mismatches.])
if test "x$withval" = "xno" ; then
openssl_check_nonfatal=1
fi
],
[
AC_MSG_WARN([cross compiling: not checking])
]
)
AC_MSG_CHECKING([if programs using OpenSSL functions will link])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
[[ SSLeay_add_all_algorithms(); ]])],
[
AC_MSG_RESULT([yes])
],
[
AC_MSG_RESULT([no])
saved_LIBS="$LIBS"
LIBS="$LIBS -ldl"
AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
[[ SSLeay_add_all_algorithms(); ]])],
[
AC_MSG_RESULT([yes])
],
[
AC_MSG_RESULT([no])
LIBS="$saved_LIBS"
]
)
]
)
AC_CHECK_FUNCS([ \
BN_is_prime_ex \
DSA_generate_parameters_ex \
EVP_DigestInit_ex \
EVP_DigestFinal_ex \
EVP_MD_CTX_init \
EVP_MD_CTX_cleanup \
EVP_MD_CTX_copy_ex \
HMAC_CTX_init \
RSA_generate_key_ex \
RSA_get_default_method \
])
openssl_engine=no
AC_ARG_WITH([ssl-engine],
[ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
[ if test "x$withval" != "xno" ; then
[
if test "x$openssl" = "xno" ; then
AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
fi
if test "x$withval" != "xno" ; then
openssl_engine=yes
fi
]
)
if test "x$openssl" = "xyes" ; then
LIBS="-lcrypto $LIBS"
AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1],
[Define if your ssl headers are included
with #include <openssl/header.h>])],
[
dnl Check default openssl install dir
if test -n "${need_dash_r}"; then
LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
else
LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
fi
CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
AC_CHECK_HEADER([openssl/opensslv.h], ,
[AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])],
[
AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
]
)
]
)
# Determine OpenSSL header version
AC_MSG_CHECKING([OpenSSL header version])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <stdio.h>
#include <string.h>
#include <openssl/opensslv.h>
#define DATA "conftest.sslincver"
]], [[
FILE *fd;
int rc;
fd = fopen(DATA,"w");
if(fd == NULL)
exit(1);
if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
exit(1);
exit(0);
]])],
[
ssl_header_ver=`cat conftest.sslincver`
AC_MSG_RESULT([$ssl_header_ver])
],
[
AC_MSG_RESULT([not found])
AC_MSG_ERROR([OpenSSL version header not found.])
],
[
AC_MSG_WARN([cross compiling: not checking])
]
)
# Determine OpenSSL library version
AC_MSG_CHECKING([OpenSSL library version])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <stdio.h>
#include <string.h>
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
#define DATA "conftest.ssllibver"
]], [[
FILE *fd;
int rc;
fd = fopen(DATA,"w");
if(fd == NULL)
exit(1);
if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
SSLeay_version(SSLEAY_VERSION))) <0)
exit(1);
exit(0);
]])],
[
ssl_library_ver=`cat conftest.ssllibver`
# Check version is supported.
case "$ssl_library_ver" in
0090[[0-7]]*|009080[[0-5]]*)
AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")])
;;
*) ;;
esac
AC_MSG_RESULT([$ssl_library_ver])
],
[
AC_MSG_RESULT([not found])
AC_MSG_ERROR([OpenSSL library not found.])
],
[
AC_MSG_WARN([cross compiling: not checking])
]
)
# Sanity check OpenSSL headers
AC_MSG_CHECKING([whether OpenSSL's headers match the library])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/opensslv.h>
]], [[
exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
]])],
[
AC_MSG_RESULT([yes])
],
[
AC_MSG_RESULT([no])
if test "x$openssl_check_nonfatal" = "x"; then
AC_MSG_ERROR([Your OpenSSL headers do not match your
library. Check config.log for details.
If you are sure your installation is consistent, you can disable the check
by running "./configure --without-openssl-header-check".
Also see contrib/findssl.sh for help identifying header/library mismatches.
])
else
AC_MSG_WARN([Your OpenSSL headers do not match your
library. Check config.log for details.
Also see contrib/findssl.sh for help identifying header/library mismatches.])
fi
],
[
AC_MSG_WARN([cross compiling: not checking])
]
)
AC_MSG_CHECKING([if programs using OpenSSL functions will link])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
[[ SSLeay_add_all_algorithms(); ]])],
[
AC_MSG_RESULT([yes])
],
[
AC_MSG_RESULT([no])
saved_LIBS="$LIBS"
LIBS="$LIBS -ldl"
AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
[[ SSLeay_add_all_algorithms(); ]])],
[
AC_MSG_RESULT([yes])
],
[
AC_MSG_RESULT([no])
LIBS="$saved_LIBS"
]
)
]
)
AC_CHECK_FUNCS([ \
BN_is_prime_ex \
DSA_generate_parameters_ex \
EVP_DigestInit_ex \
EVP_DigestFinal_ex \
EVP_MD_CTX_init \
EVP_MD_CTX_cleanup \
EVP_MD_CTX_copy_ex \
HMAC_CTX_init \
RSA_generate_key_ex \
RSA_get_default_method \
])
if test "x$openssl_engine" = "xyes" ; then
AC_MSG_CHECKING([for OpenSSL ENGINE support])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
#include <openssl/engine.h>
#include <openssl/engine.h>
]], [[
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
]])],
[ AC_MSG_RESULT([yes])
AC_DEFINE([USE_OPENSSL_ENGINE], [1],
[Enable OpenSSL engine support])
], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
])
fi ]
)
fi
# Check for OpenSSL without EVP_aes_{192,256}_cbc
AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/evp.h>
]], [[
exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
]])],
[
AC_MSG_RESULT([no])
],
[
AC_MSG_RESULT([yes])
AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
[libcrypto is missing AES 192 and 256 bit functions])
]
)
# Check for OpenSSL with EVP_aes_*ctr
AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/evp.h>
]], [[
exit(EVP_aes_128_ctr() == NULL ||
EVP_aes_192_cbc() == NULL ||
EVP_aes_256_cbc() == NULL);
]])],
[
AC_MSG_RESULT([yes])
AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
[libcrypto has EVP AES CTR])
],
[
AC_MSG_RESULT([no])
]
)
# Check for OpenSSL with EVP_aes_*gcm
AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/evp.h>
]], [[
exit(EVP_aes_128_gcm() == NULL ||
EVP_aes_256_gcm() == NULL ||
EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
EVP_CTRL_GCM_IV_GEN == 0 ||
EVP_CTRL_GCM_SET_TAG == 0 ||
EVP_CTRL_GCM_GET_TAG == 0 ||
EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
]])],
[
AC_MSG_RESULT([yes])
AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
[libcrypto has EVP AES GCM])
],
[
AC_MSG_RESULT([no])
unsupported_algorithms="$unsupported_cipers \
aes128-gcm@openssh.com aes256-gcm@openssh.com"
]
)
AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto],
[AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1],
[Define if libcrypto has EVP_CIPHER_CTX_ctrl])])
AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/evp.h>
]], [[
if(EVP_DigestUpdate(NULL, NULL,0))
exit(0);
]])],
[
AC_MSG_RESULT([yes])
],
[
AC_MSG_RESULT([no])
AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
[Define if EVP_DigestUpdate returns void])
]
)
# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
# because the system crypt() is more featureful.
if test "x$check_for_libcrypt_before" = "x1"; then
AC_CHECK_LIB([crypt], [crypt])
fi
# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
# version in OpenSSL.
if test "x$check_for_libcrypt_later" = "x1"; then
AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
fi
AC_CHECK_FUNCS([crypt DES_crypt])
# Search for SHA256 support in libc and/or OpenSSL
AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
[unsupported_algorithms="$unsupported_algorithms \
hmac-sha2-256 hmac-sha2-512 \
diffie-hellman-group-exchange-sha256 \
hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
]
)
# Search for RIPE-MD support in OpenSSL
AC_CHECK_FUNCS([EVP_ripemd160], ,
[unsupported_algorithms="$unsupported_algorithms \
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-ripemd160-etm@openssh.com"
]
)
# Check complete ECC support in OpenSSL
AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <openssl/ec.h>
#include <openssl/ecdh.h>
#include <openssl/ecdsa.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
# error "OpenSSL < 0.9.8g has unreliable ECC code"
#endif
]], [[
EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
const EVP_MD *m = EVP_sha256(); /* We need this too */
]])],
[ AC_MSG_RESULT([yes])
enable_nistp256=1 ],
[ AC_MSG_RESULT([no]) ]
)
AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <openssl/ec.h>
#include <openssl/ecdh.h>
#include <openssl/ecdsa.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
# error "OpenSSL < 0.9.8g has unreliable ECC code"
#endif
]], [[
EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
const EVP_MD *m = EVP_sha384(); /* We need this too */
]])],
[ AC_MSG_RESULT([yes])
enable_nistp384=1 ],
[ AC_MSG_RESULT([no]) ]
)
AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <openssl/ec.h>
#include <openssl/ecdh.h>
#include <openssl/ecdsa.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
# error "OpenSSL < 0.9.8g has unreliable ECC code"
#endif
]], [[
EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
const EVP_MD *m = EVP_sha512(); /* We need this too */
]])],
[ AC_MSG_RESULT([yes])
AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
AC_RUN_IFELSE(
# Check for OpenSSL without EVP_aes_{192,256}_cbc
AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <openssl/ec.h>
#include <openssl/ecdh.h>
#include <openssl/ecdsa.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/opensslv.h>
]],[[
EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
const EVP_MD *m = EVP_sha512(); /* We need this too */
exit(e == NULL || m == NULL);
#include <string.h>
#include <openssl/evp.h>
]], [[
exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
]])],
[
AC_MSG_RESULT([no])
],
[
AC_MSG_RESULT([yes])
AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
[libcrypto is missing AES 192 and 256 bit functions])
]
)
# Check for OpenSSL with EVP_aes_*ctr
AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/evp.h>
]], [[
exit(EVP_aes_128_ctr() == NULL ||
EVP_aes_192_cbc() == NULL ||
EVP_aes_256_cbc() == NULL);
]])],
[
AC_MSG_RESULT([yes])
AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
[libcrypto has EVP AES CTR])
],
[
AC_MSG_RESULT([no])
]
)
# Check for OpenSSL with EVP_aes_*gcm
AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/evp.h>
]], [[
exit(EVP_aes_128_gcm() == NULL ||
EVP_aes_256_gcm() == NULL ||
EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
EVP_CTRL_GCM_IV_GEN == 0 ||
EVP_CTRL_GCM_SET_TAG == 0 ||
EVP_CTRL_GCM_GET_TAG == 0 ||
EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
]])],
[
AC_MSG_RESULT([yes])
AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
[libcrypto has EVP AES GCM])
],
[
AC_MSG_RESULT([no])
unsupported_algorithms="$unsupported_cipers \
aes128-gcm@openssh.com aes256-gcm@openssh.com"
]
)
AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto],
[AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1],
[Define if libcrypto has EVP_CIPHER_CTX_ctrl])])
AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/evp.h>
]], [[
if(EVP_DigestUpdate(NULL, NULL,0))
exit(0);
]])],
[
AC_MSG_RESULT([yes])
],
[
AC_MSG_RESULT([no])
AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
[Define if EVP_DigestUpdate returns void])
]
)
# Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
# because the system crypt() is more featureful.
if test "x$check_for_libcrypt_before" = "x1"; then
AC_CHECK_LIB([crypt], [crypt])
fi
# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
# version in OpenSSL.
if test "x$check_for_libcrypt_later" = "x1"; then
AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
fi
# Search for SHA256 support in libc and/or OpenSSL
AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
[unsupported_algorithms="$unsupported_algorithms \
hmac-sha2-256 hmac-sha2-512 \
diffie-hellman-group-exchange-sha256 \
hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
]
)
# Search for RIPE-MD support in OpenSSL
AC_CHECK_FUNCS([EVP_ripemd160], ,
[unsupported_algorithms="$unsupported_algorithms \
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-ripemd160-etm@openssh.com"
]
)
# Check complete ECC support in OpenSSL
AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <openssl/ec.h>
#include <openssl/ecdh.h>
#include <openssl/ecdsa.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
# error "OpenSSL < 0.9.8g has unreliable ECC code"
#endif
]], [[
EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
const EVP_MD *m = EVP_sha256(); /* We need this too */
]])],
[ AC_MSG_RESULT([yes])
enable_nistp521=1 ],
[ AC_MSG_RESULT([no]) ],
[ AC_MSG_WARN([cross-compiling: assuming yes])
enable_nistp521=1 ]
)],
AC_MSG_RESULT([no])
)
enable_nistp256=1 ],
[ AC_MSG_RESULT([no]) ]
)
COMMENT_OUT_ECC="#no ecc#"
TEST_SSH_ECC=no
AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <openssl/ec.h>
#include <openssl/ecdh.h>
#include <openssl/ecdsa.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
# error "OpenSSL < 0.9.8g has unreliable ECC code"
#endif
]], [[
EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
const EVP_MD *m = EVP_sha384(); /* We need this too */
]])],
[ AC_MSG_RESULT([yes])
enable_nistp384=1 ],
[ AC_MSG_RESULT([no]) ]
)
if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
test x$enable_nistp521 = x1; then
AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
fi
if test x$enable_nistp256 = x1; then
AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
[libcrypto has NID_X9_62_prime256v1])
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \
ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com"
fi
if test x$enable_nistp384 = x1; then
AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \
ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com"
fi
if test x$enable_nistp521 = x1; then
AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \
ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com"
fi
AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <openssl/ec.h>
#include <openssl/ecdh.h>
#include <openssl/ecdsa.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
# error "OpenSSL < 0.9.8g has unreliable ECC code"
#endif
]], [[
EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
const EVP_MD *m = EVP_sha512(); /* We need this too */
]])],
[ AC_MSG_RESULT([yes])
AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <openssl/ec.h>
#include <openssl/ecdh.h>
#include <openssl/ecdsa.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/opensslv.h>
]],[[
EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
const EVP_MD *m = EVP_sha512(); /* We need this too */
exit(e == NULL || m == NULL);
]])],
[ AC_MSG_RESULT([yes])
enable_nistp521=1 ],
[ AC_MSG_RESULT([no]) ],
[ AC_MSG_WARN([cross-compiling: assuming yes])
enable_nistp521=1 ]
)],
AC_MSG_RESULT([no])
)
AC_SUBST([TEST_SSH_ECC])
AC_SUBST([COMMENT_OUT_ECC])
COMMENT_OUT_ECC="#no ecc#"
TEST_SSH_ECC=no
if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
test x$enable_nistp521 = x1; then
AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
fi
if test x$enable_nistp256 = x1; then
AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
[libcrypto has NID_X9_62_prime256v1])
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \
ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com"
fi
if test x$enable_nistp384 = x1; then
AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \
ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com"
fi
if test x$enable_nistp521 = x1; then
AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \
ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com"
fi
AC_SUBST([TEST_SSH_ECC])
AC_SUBST([COMMENT_OUT_ECC])
else
AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
AC_CHECK_FUNCS([crypt DES_crypt])
fi
AC_CHECK_FUNCS([ \
arc4random \
@ -2687,28 +2726,30 @@ LIBS="$saved_LIBS"
### Configure cryptographic random number support
# Check wheter OpenSSL seeds itself
AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/rand.h>
]], [[
exit(RAND_status() == 1 ? 0 : 1);
]])],
[
OPENSSL_SEEDS_ITSELF=yes
AC_MSG_RESULT([yes])
],
[
AC_MSG_RESULT([no])
],
[
AC_MSG_WARN([cross compiling: assuming yes])
# This is safe, since we will fatal() at runtime if
# OpenSSL is not seeded correctly.
OPENSSL_SEEDS_ITSELF=yes
]
)
if test "x$openssl" = "xyes" ; then
AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/rand.h>
]], [[
exit(RAND_status() == 1 ? 0 : 1);
]])],
[
OPENSSL_SEEDS_ITSELF=yes
AC_MSG_RESULT([yes])
],
[
AC_MSG_RESULT([no])
],
[
AC_MSG_WARN([cross compiling: assuming yes])
# This is safe, since we will fatal() at runtime if
# OpenSSL is not seeded correctly.
OPENSSL_SEEDS_ITSELF=yes
]
)
fi
# PRNGD TCP socket
AC_ARG_WITH([prngd-port],
@ -2790,8 +2831,10 @@ elif test ! -z "$PRNGD_SOCKET" ; then
RAND_MSG="PRNGd socket $PRNGD_SOCKET"
elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
[Define if you want OpenSSL's internally seeded PRNG only])
[Define if you want the OpenSSL internally seeded PRNG only])
RAND_MSG="OpenSSL internal ONLY"
elif test "x$openssl" = "xno" ; then
AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
else
AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
fi

29
digest-libc.c
View File

@ -18,15 +18,19 @@
#include "includes.h"
#ifndef WITH_OPENSSL
#include <sys/types.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>
#if 0
#include <md5.h>
#include <rmd160.h>
#include <sha1.h>
#include <sha2.h>
#endif
#include "ssherr.h"
#include "sshbuf.h"
@ -89,30 +93,30 @@ const struct ssh_digest digests[SSH_DIGEST_MAX] = {
"SHA256",
SHA256_BLOCK_LENGTH,
SHA256_DIGEST_LENGTH,
sizeof(SHA2_CTX),
(md_init_fn *) SHA256Init,
(md_update_fn *) SHA256Update,
(md_final_fn *) SHA256Final
sizeof(SHA256_CTX),
(md_init_fn *) SHA256_Init,
(md_update_fn *) SHA256_Update,
(md_final_fn *) SHA256_Final
},
{
SSH_DIGEST_SHA384,
"SHA384",
SHA384_BLOCK_LENGTH,
SHA384_DIGEST_LENGTH,
sizeof(SHA2_CTX),
(md_init_fn *) SHA384Init,
(md_update_fn *) SHA384Update,
(md_final_fn *) SHA384Final
sizeof(SHA384_CTX),
(md_init_fn *) SHA384_Init,
(md_update_fn *) SHA384_Update,
(md_final_fn *) SHA384_Final
},
{
SSH_DIGEST_SHA512,
"SHA512",
SHA512_BLOCK_LENGTH,
SHA512_DIGEST_LENGTH,
sizeof(SHA2_CTX),
(md_init_fn *) SHA512Init,
(md_update_fn *) SHA512Update,
(md_final_fn *) SHA512Final
sizeof(SHA512_CTX),
(md_init_fn *) SHA512_Init,
(md_update_fn *) SHA512_Update,
(md_final_fn *) SHA512_Final
}
};
@ -257,3 +261,4 @@ ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
{
return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
}
#endif /* !WITH_OPENSSL */

3
digest-openssl.c
View File

@ -17,6 +17,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <limits.h>
#include <stdlib.h>
@ -200,3 +202,4 @@ ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
{
return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
}
#endif /* WITH_OPENSSL */

12
entropy.c
View File

@ -24,6 +24,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <sys/socket.h>
#ifdef HAVE_SYS_UN_H
@ -230,3 +232,13 @@ seed_rng(void)
if (RAND_status() != 1)
fatal("PRNG is not seeded");
}
#else /* WITH_OPENSSL */
/* Handled in arc4random() */
void
seed_rng(void)
{
}
#endif /* WITH_OPENSSL */

2
includes.h
View File

@ -167,7 +167,9 @@
# endif
#endif
#ifdef WITH_OPENSSL
#include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */
#endif
#include "defines.h"

4
kex.c
View File

@ -90,9 +90,9 @@ static const struct kexalg kexalgs[] = {
# endif /* OPENSSL_HAS_NISTP521 */
#endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
#ifdef HAVE_EVP_SHA256
#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#endif /* HAVE_EVP_SHA256 */
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, -1, -1, -1},
};

3
kexdh.c
View File

@ -25,6 +25,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <signal.h>
@ -85,3 +87,4 @@ kex_dh_hash(
*hash = digest;
*hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
}
#endif /* WITH_OPENSSL */

3
kexdhc.c
View File

@ -25,6 +25,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <openssl/dh.h>
@ -159,3 +161,4 @@ kexdh_client(Kex *kex)
BN_clear_free(shared_secret);
kex_finish(kex);
}
#endif /* WITH_OPENSSL */

3
kexdhs.c
View File

@ -25,6 +25,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <stdarg.h>
@ -158,3 +160,4 @@ kexdh_server(Kex *kex)
BN_clear_free(shared_secret);
kex_finish(kex);
}
#endif /* WITH_OPENSSL */

4
kexecdh.c
View File

@ -26,7 +26,7 @@
#include "includes.h"
#ifdef OPENSSL_HAS_ECC
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
#include <sys/types.h>
@ -94,4 +94,4 @@ kex_ecdh_hash(
*hash = digest;
*hashlen = ssh_digest_bytes(hash_alg);
}
#endif /* OPENSSL_HAS_ECC */
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */

12
kexecdhc.c
View File

@ -26,6 +26,8 @@
#include "includes.h"
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
#include <sys/types.h>
#include <stdio.h>
@ -42,8 +44,6 @@
#include "dh.h"
#include "ssh2.h"
#ifdef OPENSSL_HAS_ECC
#include <openssl/ecdh.h>
void
@ -156,10 +156,4 @@ kexecdh_client(Kex *kex)
BN_clear_free(shared_secret);
kex_finish(kex);
}
#else /* OPENSSL_HAS_ECC */
void
kexecdh_client(Kex *kex)
{
fatal("ECC support is not enabled");
}
#endif /* OPENSSL_HAS_ECC */
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */

12
kexecdhs.c
View File

@ -26,6 +26,8 @@
#include "includes.h"
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
#include <sys/types.h>
#include <string.h>
#include <signal.h>
@ -39,8 +41,6 @@
#include "packet.h"
#include "ssh2.h"
#ifdef OPENSSL_HAS_ECC
#include <openssl/ecdh.h>
void
@ -152,10 +152,4 @@ kexecdh_server(Kex *kex)
BN_clear_free(shared_secret);
kex_finish(kex);
}
#else /* OPENSSL_HAS_ECC */
void
kexecdh_server(Kex *kex)
{
fatal("ECC support is not enabled");
}
#endif /* OPENSSL_HAS_ECC */
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */

3
kexgex.c
View File

@ -26,6 +26,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <openssl/evp.h>
@ -96,3 +98,4 @@ kexgex_hash(
*hash = digest;
*hashlen = ssh_digest_bytes(hash_alg);
}
#endif /* WITH_OPENSSL */

3
kexgexc.c
View File

@ -26,6 +26,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <openssl/dh.h>
@ -205,3 +207,4 @@ kexgex_client(Kex *kex)
kex_finish(kex);
}
#endif /* WITH_OPENSSL */

3
kexgexs.c
View File

@ -26,6 +26,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/param.h>
#include <stdarg.h>
@ -206,3 +208,4 @@ kexgex_server(Kex *kex)
kex_finish(kex);
}
#endif /* WITH_OPENSSL */

3
krl.c
View File

@ -18,6 +18,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL /* XXX just fix bignums and this is good */
#include <sys/types.h>
#include <sys/param.h>
#include <openbsd-compat/sys-tree.h>
@ -1282,3 +1284,4 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key)
errno = oerrno;
return r;
}
#endif /* WITH_OPENSSL */

4
moduli.c
View File

@ -39,6 +39,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/param.h>
#include <sys/types.h>
@ -802,3 +804,5 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted,
return (res);
}
#endif /* WITH_OPENSSL */

4
monitor_wrap.c
View File

@ -151,8 +151,10 @@ mm_request_receive(int sock, Buffer *m)
debug3("%s entering", __func__);
if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
if (errno == EPIPE)
if (errno == EPIPE) {
error("%s: socket closed", __func__);
cleanup_exit(255);
}
fatal("%s: read: %s", __func__, strerror(errno));
}
msg_len = get_u32(buf);

2
openbsd-compat/Makefile.in
View File

@ -16,7 +16,7 @@ RANLIB=@RANLIB@
INSTALL=@INSTALL@
LDFLAGS=-L. @LDFLAGS@
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o

36
openbsd-compat/arc4random.c
View File

@ -26,15 +26,19 @@
#include "includes.h"
#include <sys/types.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#ifndef HAVE_ARC4RANDOM
#ifdef WITH_OPENSSL
#include <openssl/rand.h>
#include <openssl/err.h>
#endif
#include "log.h"
@ -73,14 +77,44 @@ _rs_init(u_char *buf, size_t n)
chacha_ivsetup(&rs, buf + KEYSZ);
}
#ifndef WITH_OPENSSL
#define SSH_RANDOM_DEV "/dev/urandom"
/* XXX use getrandom() if supported on Linux */
static void
getrnd(u_char *s, size_t len)
{
int fd;
ssize_t r;
size_t o = 0;
if ((fd = open(SSH_RANDOM_DEV, O_RDONLY)) == -1)
fatal("Couldn't open %s: %s", SSH_RANDOM_DEV, strerror(errno));
while (o < len) {
r = read(fd, s + o, len - o);
if (r < 0) {
if (errno == EAGAIN || errno == EINTR ||
errno == EWOULDBLOCK)
continue;
fatal("read %s: %s", SSH_RANDOM_DEV, strerror(errno));
}
o += r;
}
close(fd);
}
#endif
static void
_rs_stir(void)
{
u_char rnd[KEYSZ + IVSZ];
#ifdef WITH_OPENSSL
if (RAND_bytes(rnd, sizeof(rnd)) <= 0)
fatal("Couldn't obtain random bytes (error %ld)",
ERR_get_error());
#else
getrnd(rnd, sizeof(rnd));
#endif
if (!rs_initialized) {
rs_initialized = 1;

3
openbsd-compat/bcrypt_pbkdf.c
View File

@ -32,6 +32,9 @@
#endif
#include "crypto_api.h"
#ifdef SHA512_DIGEST_LENGTH
# undef SHA512_DIGEST_LENGTH
#endif
#define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES
/*

3
openbsd-compat/openbsd-compat.h
View File

@ -43,7 +43,10 @@
#include "readpassphrase.h"
#include "vis.h"
#include "getrrsetbyname.h"
#include "sha1.h"
#include "sha2.h"
#include "rmd160.h"
#include "md5.h"
#include "blf.h"
#ifndef HAVE_BASENAME

4
openbsd-compat/openssl-compat.c
View File

@ -19,6 +19,8 @@
#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
#include "includes.h"
#ifdef WITH_OPENSSL
#include <stdarg.h>
#include <string.h>
@ -78,3 +80,5 @@ ssh_OpenSSL_add_all_algorithms(void)
OPENSSL_config(NULL);
}
#endif
#endif /* WITH_OPENSSL */

3
openbsd-compat/openssl-compat.h
View File

@ -20,6 +20,8 @@
#define _OPENSSL_COMPAT_H
#include "includes.h"
#ifdef WITH_OPENSSL
#include <openssl/opensslv.h>
#include <openssl/evp.h>
#include <openssl/rsa.h>
@ -90,4 +92,5 @@ void ssh_OpenSSL_add_all_algorithms(void);
#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
#endif /* WITH_OPENSSL */
#endif /* _OPENSSL_COMPAT_H */

40
openbsd-compat/sha2.c
View File

@ -38,13 +38,18 @@
#include "includes.h"
#include <openssl/opensslv.h>
#ifdef WITH_OPENSSL
# include <openssl/opensslv.h>
# if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
# define _NEED_SHA2 1
# endif
#else
# define _NEED_SHA2 1
#endif
#if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE)
#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
(OPENSSL_VERSION_NUMBER >= 0x00907000L)
#include <sys/types.h>
#include <string.h>
#include "sha2.h"
/*
* UNROLLED TRANSFORM LOOP NOTE:
@ -838,7 +843,6 @@ SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context)
}
#if 0
/*** SHA-384: *********************************************************/
void
SHA384_Init(SHA384_CTX *context)
@ -851,9 +855,29 @@ SHA384_Init(SHA384_CTX *context)
context->bitcount[0] = context->bitcount[1] = 0;
}
#if 0
__weak_alias(SHA384_Transform, SHA512_Transform);
__weak_alias(SHA384_Update, SHA512_Update);
__weak_alias(SHA384_Pad, SHA512_Pad);
#endif
void
SHA384_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
{
return SHA512_Transform(state, data);
}
void
SHA384_Update(SHA512_CTX *context, const u_int8_t *data, size_t len)
{
SHA512_Update(context, data, len);
}
void
SHA384_Pad(SHA512_CTX *context)
{
SHA512_Pad(context);
}
void
SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
@ -876,7 +900,5 @@ SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
/* Zero out state data */
memset(context, 0, sizeof(*context));
}
#endif
#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
(OPENSSL_VERSION_NUMBER >= 0x00907000L) */
#endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */

19
openbsd-compat/sha2.h
View File

@ -41,10 +41,16 @@
#include "includes.h"
#include <openssl/opensslv.h>
#ifdef WITH_OPENSSL
# include <openssl/opensslv.h>
# if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
# define _NEED_SHA2 1
# endif
#else
# define _NEED_SHA2 1
#endif
#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
(OPENSSL_VERSION_NUMBER >= 0x00907000L)
#if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE)
/*** SHA-256/384/512 Various Length Definitions ***********************/
#define SHA256_BLOCK_LENGTH 64
@ -70,9 +76,7 @@ typedef struct _SHA512_CTX {
u_int8_t buffer[SHA512_BLOCK_LENGTH];
} SHA512_CTX;
#if 0
typedef SHA512_CTX SHA384_CTX;
#endif
void SHA256_Init(SHA256_CTX *);
void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]);
@ -91,7 +95,6 @@ char *SHA256_Data(const u_int8_t *, size_t, char *)
__attribute__((__bounded__(__string__,1,2)))
__attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH)));
#if 0
void SHA384_Init(SHA384_CTX *);
void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]);
void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t)
@ -108,7 +111,6 @@ char *SHA384_FileChunk(const char *, char *, off_t, off_t)
char *SHA384_Data(const u_int8_t *, size_t, char *)
__attribute__((__bounded__(__string__,1,2)))
__attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH)));
#endif /* 0 */
void SHA512_Init(SHA512_CTX *);
void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]);
@ -127,7 +129,6 @@ char *SHA512_Data(const u_int8_t *, size_t, char *)
__attribute__((__bounded__(__string__,1,2)))
__attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH)));
#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
(OPENSSL_VERSION_NUMBER >= 0x00907000L) */
#endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */
#endif /* _SSHSHA2_H */

2
openbsd-compat/xcrypt.c
View File

@ -57,7 +57,7 @@
# include "md5crypt.h"
# endif
# if !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
# if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
# include <openssl/des.h>
# define crypt DES_crypt
# endif

2
packet.c
View File

@ -1612,6 +1612,7 @@ packet_get_ecpoint(const EC_GROUP *curve, EC_POINT *point)
buffer_get_ecpoint(&active_state->incoming_packet, curve, point);
}
#endif
#endif
void *
packet_get_raw(u_int *length_ptr)
@ -1622,7 +1623,6 @@ packet_get_raw(u_int *length_ptr)
*length_ptr = bytes;
return buffer_ptr(&active_state->incoming_packet);
}
#endif
int
packet_remaining(void)

4
ssh-add.c
View File

@ -70,11 +70,13 @@ extern char *__progname;
/* Default files to add */
static char *default_files[] = {
#ifdef WITH_OPENSSL
_PATH_SSH_CLIENT_ID_RSA,
_PATH_SSH_CLIENT_ID_DSA,
#ifdef OPENSSL_HAS_ECC
_PATH_SSH_CLIENT_ID_ECDSA,
#endif
#endif /* WITH_OPENSSL */
_PATH_SSH_CLIENT_ID_ED25519,
_PATH_SSH_CLIENT_IDENTITY,
NULL
@ -440,7 +442,9 @@ main(int argc, char **argv)
__progname = ssh_get_progname(argv[0]);
seed_rng();
#ifdef WITH_OPENSSL
OpenSSL_add_all_algorithms();
#endif
setvbuf(stdout, NULL, _IOLBF, 0);

3
ssh-dss.c
View File

@ -25,6 +25,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <openssl/bn.h>
@ -217,3 +219,4 @@ ssh_dss_verify(const struct sshkey *key,
}
return ret;
}
#endif /* WITH_OPENSSL */

4
ssh-ecdsa.c
View File

@ -26,7 +26,7 @@
#include "includes.h"
#ifdef OPENSSL_HAS_ECC
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
#include <sys/types.h>
@ -189,4 +189,4 @@ ssh_ecdsa_verify(const struct sshkey *key,
return ret;
}
#endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */

22
ssh-keygen.c
View File

@ -19,9 +19,11 @@
#include <sys/stat.h>
#include <sys/param.h>
#ifdef WITH_OPENSSL
#include <openssl/evp.h>
#include <openssl/pem.h>
#include "openbsd-compat/openssl-compat.h"
#endif
#include <errno.h>
#include <fcntl.h>
@ -179,7 +181,9 @@ int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long,
static void
type_bits_valid(int type, u_int32_t *bitsp)
{
#ifdef WITH_OPENSSL
u_int maxbits;
#endif
if (type == KEY_UNSPEC) {
fprintf(stderr, "unknown key type %s\n", key_type_name);
@ -193,13 +197,13 @@ type_bits_valid(int type, u_int32_t *bitsp)
else
*bitsp = DEFAULT_BITS;
}
#ifdef WITH_OPENSSL
maxbits = (type == KEY_DSA) ?
OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
if (*bitsp > maxbits) {
fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
exit(1);
}
#ifdef WITH_OPENSSL
if (type == KEY_DSA && *bitsp != 1024)
fatal("DSA keys must be 1024 bits");
else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
@ -2102,10 +2106,12 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca,
fclose(krl_spec);
free(path);
}
#endif /* WITH_OPENSSL */
static void
do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
{
#ifdef WITH_OPENSSL
struct ssh_krl *krl;
struct stat sb;
Key *ca = NULL;
@ -2155,11 +2161,15 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
ssh_krl_free(krl);
if (ca != NULL)
key_free(ca);
#else /* WITH_OPENSSL */
fatal("KRLs not supported without OpenSSL");
#endif /* WITH_OPENSSL */
}
static void
do_check_krl(struct passwd *pw, int argc, char **argv)
{
#ifdef WITH_OPENSSL
int i, r, ret = 0;
char *comment;
struct ssh_krl *krl;
@ -2182,8 +2192,10 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
}
ssh_krl_free(krl);
exit(ret);
#else /* WITH_OPENSSL */
fatal("KRLs not supported without OpenSSL");
#endif /* WITH_OPENSSL */
}
#endif
static void
usage(void)
@ -2249,7 +2261,9 @@ main(int argc, char **argv)
__progname = ssh_get_progname(argv[0]);
#ifdef WITH_OPENSSL
OpenSSL_add_all_algorithms();
#endif
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
seed_rng();
@ -2427,6 +2441,7 @@ main(int argc, char **argv)
fatal("Invalid number: %s (%s)",
optarg, errstr);
break;
#ifdef WITH_OPENSSL
case 'M':
memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr);
if (errstr)
@ -2454,6 +2469,7 @@ main(int argc, char **argv)
if (BN_hex2bn(&start, optarg) == 0)
fatal("Invalid start point.");
break;
#endif /* WITH_OPENSSL */
case 'V':
parse_cert_times(optarg);
break;
@ -2493,7 +2509,6 @@ main(int argc, char **argv)
printf("Cannot use -l with -H or -R.\n");
usage();
}
#ifdef WITH_OPENSSL
if (gen_krl) {
do_gen_krl(pw, update_krl, argc, argv);
return (0);
@ -2502,7 +2517,6 @@ main(int argc, char **argv)
do_check_krl(pw, argc, argv);
return (0);
}
#endif
if (ca_key_path != NULL) {
if (cert_key_id == NULL)
fatal("Must specify key id (-I) when certifying");

6
ssh-keysign.c
View File

@ -35,9 +35,11 @@
#include <string.h>
#include <unistd.h>
#ifdef WITH_OPENSSL
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/rsa.h>
#endif
#include "xmalloc.h"
#include "log.h"
@ -161,7 +163,9 @@ main(int argc, char **argv)
u_char *signature, *data;
char *host, *fp;
u_int slen, dlen;
#ifdef WITH_OPENSSL
u_int32_t rnd[256];
#endif
/* Ensure that stdin and stdout are connected */
if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
@ -204,9 +208,11 @@ main(int argc, char **argv)
if (found == 0)
fatal("could not open any host key");
#ifdef WITH_OPENSSL
OpenSSL_add_all_algorithms();
arc4random_buf(rnd, sizeof(rnd));
RAND_seed(rnd, sizeof(rnd));
#endif
found = 0;
for (i = 0; i < NUM_KEYTYPES; i++) {

3
ssh-rsa.c
View File

@ -17,6 +17,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <openssl/evp.h>
@ -263,3 +265,4 @@ done:
}
return ret;
}
#endif /* WITH_OPENSSL */

10
sshd.c
View File

@ -623,7 +623,9 @@ privsep_preauth_child(void)
arc4random_stir();
arc4random_buf(rnd, sizeof(rnd));
#ifdef WITH_OPENSSL
RAND_seed(rnd, sizeof(rnd));
#endif
explicit_bzero(rnd, sizeof(rnd));
/* Demote the private keys to public keys. */
@ -758,7 +760,9 @@ privsep_postauth(Authctxt *authctxt)
arc4random_stir();
arc4random_buf(rnd, sizeof(rnd));
#ifdef WITH_OPENSSL
RAND_seed(rnd, sizeof(rnd));
#endif
explicit_bzero(rnd, sizeof(rnd));
/* Drop privileges */
@ -988,7 +992,7 @@ send_rexec_state(int fd, Buffer *conf)
#endif
buffer_put_int(&m, 0);
#ifndef OPENSSL_PRNG_ONLY
#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
rexec_send_rng_seed(&m);
#endif
@ -1041,7 +1045,7 @@ recv_rexec_state(int fd, Buffer *conf)
#endif
}
#ifndef OPENSSL_PRNG_ONLY
#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
rexec_recv_rng_seed(&m);
#endif
@ -1372,7 +1376,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
*/
arc4random_stir();
arc4random_buf(rnd, sizeof(rnd));
#ifdef WITH_OPENSSL
RAND_seed(rnd, sizeof(rnd));
#endif
explicit_bzero(rnd, sizeof(rnd));
}